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IN THE CLAIMS 

1 . (Original) A real-time reference monitor software product comprising, on a 
machine-readable medium, a sequence of instructions defining: 

a storage area where real-time state information is stored and from which 
the state information is restored; 

a plurality of rules defining allowable activity based on a pattern of activity; 
and plural interceptors identifying and governing the activity based on an 
application of the rules to the activity. 

2. (Original) The software product of claim 1 , further comprising: 

a process which correlates the state information across different ones of the 
plural interceptors. 

3. (Original) The software product of claim 2, wherein at least one of the 
plural interceptors is a pre-existing element of a conventional computer operating 
system. 

4. (Original) The software product of claim 2, wherein the process which 
correlates the state information further comprises: 

a rule which defines permissible resource references in view of activity 
identified by the interceptors and the state information; and 

a rule interpreter which applies the rule to the activity identified and the 
state information. 

5. (Original) The software product of claim 4, wherein the rule can be 
modified without restarting the real-time reference monitor. 

6. (Original) The software product of claim 5, wherein the storage area has 
contents which are preserved when the rule is modified. 
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7. (Original) The software product of claim 1 , wherein the plural reference 
interceptors correspond to more than one resource type and wherein the storage 
area is a single storage area. 

8. (Original) The software product of claim I, further comprising: 

an application program interface that can send messages to application 
programs on the same system. 

9. (Original) The software product of claim 8, further comprising: 

an application program interface that can send messages to application 
programs on other systems. 

10. (Original) The software product of claim I, wherein the plural reference 
interceptors monitor two or more of file access, registry access, network access, 
object access, system call access, keyboard access, external inputs and user 
input. 

1 1 . (Currently Amended) A computer-implemented reference monitor, 
comprising: 

a monitoring process, executing on a computer, which detects 
plural defined events and generate event messages; 

a storage device, on the computer, in which is stored information 
related to the event messages generated by the monitoring process; and 

a rule interpreting process, executing on the computer, which 
responds to characteristics of an event message of_the information stored 
in the storage device and a set of rules by modifying operation of the 
compute r according to the set of rules . 
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1 2. (Original) The computer-implemented reference monitor of claim 1 1 , 
wherein the set of rules is modified in response to the information stored in the 
storage device. 

13. (Original) The computer-implemented reference monitor of claim 12, 
wherein the set of rules is modified and wherein the information stored in the 
storage device is preserved when the set of rules is modified. 

14. (Original) The computer-implemented reference monitor of claim 11, further 
comprising an external event message generating process executing on another 
computer, wherein the external event message generating process 
communicates event messages to the rule interpreting process. 

15. (Withdrawn) A method of implementing a processing policy on a computer, 
comprising: 

detecting first and second events, each having one of a plurality of defined 
event types; generating first and second event messages, each containing 
information about a corresponding one of the first and second events; storing the 
information about the first event; and enforcing the policy responsive to the 
stored information about the first event and the information about the second 
event. 

16. (Withdrawn) The method of claim 15, further comprising: 

applying one of a set of rules to the stored information about the first event 
and the information about the second event to determine the nature of enforcing 
the policy. 
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1 7. (Withdrawn) The method of claim 1 6, further comprising: 

executing an operating system on the computer; 
changing the set of rules without restarting the operating system and 
without losing the stored information. 

18. (Withdrawn) The method of claim 17, further comprising: 

changing the set of rules without interrupting the detecting, generating, 
storing and enforcing. 

1 9. (New) The software product of claim 2, wherein the process which 
correlates the state information further comprises: 

a rule which defines permissible resource references in view of activity 
identified by the interceptors and the state information, the interceptors operable 
to receive a sequence of events indicative of requests for operating system 
resources; and 

a rule interpreter which applies the rule to the activity identified and the 
state information. 

20. (New) The software product of claim 1 9, wherein the plural reference 
interceptors correspond to more than one resource type and wherein the storage 
area is a single storage area responsive to a stateful reference monitor for 
computing a processing policy decision based on a state determined from the 
events from the plural reference interceptors. 



